FAA Computer Security:

Concerns Remain Due to Personnel and Other Continuing Weaknesses

AIMD-00-252: Published: Aug 16, 2000. Publicly Released: Sep 27, 2000.

Additional Materials:


Joel C. Willemssen
(202) 512-6253


Office of Public Affairs
(202) 512-4800

Pursuant to a congressional request, GAO provided information on the status of the Federal Aviation Administration's (FAA) computer security efforts, focusing on: (1) FAA's history of computer security weaknesses, as described in GAO's May 1998 and December 1999 reports, and GAO's prior recommendations to address those weaknesses; (2) FAA's progress in implementing GAO's recommendations and its own personnel security policy, including GAO's assessment of the adequacy of these actions; and (3) the preliminary results of GAO's ongoing work.

GAO noted that: (1) FAA has a history of computer security weaknesses in a number of areas, including its physical security management at facilities that house air traffic control systems, systems security for both operational and future systems, management structure for implementing security policies, and personnel security; (2) over the last 3 years, GAO made 22 recommendations to FAA to address these security weaknesses; (3) while FAA is working to address computer security weaknesses, its progress has been slow in key areas; (4) GAO's ongoing work is finding that FAA still has much to do in the areas of physical, systems, and personnel security; (5) specifically, the agency has not yet completed efforts to accredit its facilities and systems as secure, and has not yet completed background checks on thousands of contractors actively working on FAA contracts; and (6) until it does so, the agency will continue to have undue exposure to intrusions and malicious attacks on its facilities, information, and resources.